|
Many systems currently rely on Ron Rivest MD5 for hashing passwords of the users.This algorithm is weak and deprecated but some developers continue to use it for new systems.It is not hacked in general but there are many databases for decrypting MD5 containing more than 10 billion words.
Probably many facebook developers are doing the same for their social network and it has been hacked many times and millions of passwords were stolen.There are plenty of hacking services, some of them probably working, offering hacking FB accounts.
That' why I would advice everyone NOT to use MD5 for anything- just replace it with SHA1.
Life is a stage and we are all actors!
|
|
|
|
|
In fact, MD5 has major vulnerabilities and any SSL certificate signed using MD5 can be forged. Therefore, it is not collision resistance. Regarding the One-Way property I am not sure and as you mentioned there rainbow tables, however those can be overcome easily by appending a key.
|
|
|
|
|
I agree with you but if your going to do encryption wish hashers then I would go for SHA-512 not md5 or SHA1;because SHA-512 as far as I know does not have any weaknesses and is very secure.
|
|
|
|
|
Code Master123 wrote: SHA-512 as far as I know does not have any weaknesses
just wait a little, until computation power raises and somebody finds a weak spot
there is no 100% secure way - not even the one time pad, because there are always humans involved and they get socially hacked
|
|
|
|
|
i cant understand CListCtrl got 5 in other answers....
whts that...
|
|
|
|
|
Do you use VB or have you been living in a hole for some time.
Two heads are better than one.
|
|
|
|
|
Using VB is living in a hole.
|
|
|
|
|
I understand that this is the question about www.CListCtrl.com from the previous thread. It's not about VB guys... Really, what the hell is "www.CListCtrl.com"???
|
|
|
|
|
|
And to add, we need a Wiki entry for
CListCtrl
Two heads are better than one.
|
|
|
|
|
Absolutely
|
|
|
|
|
Money well spent !
ragnaroknrol The Internet is For Porn[^]
Pete o'Hanlon: If it wasn't insulting tools, I'd say you were dumber than a bag of spanners.
|
|
|
|
|
Senior programmer decide the ways to implement the cryptography.
He have some discusssion with the Project Lead.
Rating always..... WELCOME
Be a good listener...Because Opprtunity Knock softly...
|
|
|
|
|
I agree with this; this is the most common scenario in my opinion
|
|
|
|
|
Nope, this is a non-facile task if taken seriously, beyond even good Senior Devs who haven't studied it as a subject:
See this guy's reply[^]
I wrote the crypto-blocks for my previous employer, but would have been much happier if someone who really understood this did it, as I only have a working knowledge of such matters. One problem is storing the keys (both in code, and protecting it in memory when in use), the easiest way to do this is in an array but this is contiguous in memory, and easy to spot by a hacker.
ragnaroknrol The Internet is For Porn[^]
Pete o'Hanlon: If it wasn't insulting tools, I'd say you were dumber than a bag of spanners.
|
|
|
|
|
Tech lead / System architect
|
|
|
|
|
By law certain sensitive information needs to be encrypted (Contact numbers, id numbers, vat number's ect, banking details & passwords and ) , and a strategy must be planned on protecting/obfuscating the keys as much as possible making it harder to hack using reflection. Isolated storage and/or secure string in C# is a very good strategy to do this.
Using obfuscation software that makes code much harder to read and interpret, also good obfuscation software also encrypts clear text adding an extra level of security , the biggest drawback with obfuscation is it may cause problems with serialization and reflection
One sure and safe way to protect data from transferring and being intercepted is Asymetric public private key encryption, only sharing the key data keys encrypted with and protecting the key that decrypts data on the respective machines.
Chona1171
Web Developer (C#), Silverlight
|
|
|
|
|
While outside contractor was an option I did not see an option specifically stating a Crypto-Analyst. While I will do crypto work for companies and I am an "outside contractor" I always recommend they hire a specialist with a Ph.D. in cryptography. I am not qualified to gauge the strength of any given cryptographic approach nor to analyze the weakness therein. So while I can implement many of the published algorithms or even use a provide library I feel it is my ethical obligation to tell clients that a person with a lot more nose hair needs to be involved, at least to sign off.
|
|
|
|
|
I took this to mean the design of the utilisation of the crypto tools and the choice of tool to use. It never occurred to me that you would implement your own encryption algos.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
That is kind of what I thought as well. As a programmer over the last 15 years I have enabled encryption on several of my medical imaging applications. Mostly the work spent doing this was selecting a library or using some builtin OS encryption and generating a key or certificate to use with the encryption. After that it was just a standard call.
John
|
|
|
|
|
I am referring to simple implementation as well. How are your keys stored, where are your keys stored, how is the memory protected when keys are in memory, is your algorithm implemented correctly, did you even check? Did you check the quality of your keys? All important questions. I am not a Cryptanalyst and ROT13 appears just a secure as AES-256, to me; in-fact, IIRC, the Java built in Crypto Algorithms are samples only and not for cryptographic use. Sun even referred you to a third-party if you wanted secure encryption.
In my opinion, and if you don't agree read the quality of questions in the forums, most developers are not even qualified to attempt to use the built in .NET cryptography API's let alone certify that they are used in a secure fashion. The fact that most of use can make a few API calls to generate what appears to be crypto-secured data does not make the data secure; only obscure.
|
|
|
|
|
I hate it when a discussion makes me think about my own position/outlook. So it seems I am making my passwords obscure rather than secure.
I would think that most senior/lead devs should be able to implement the existing systems, anything beyond that nah, I see you point about a dedicated professional.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Ennis Ray Lynch, Jr. wrote: I feel it is my ethical obligation to tell clients that a person with a lot more nose hair needs to be involved
How much much nose hair should I consider to be purely ethical?
I know some guys who would pass with flying colors!
|
|
|
|
|
I agree with you most heartily. Cryptography is a tricky business. There is a risk of catastrophic failure if you do not have someone who actually understands the stuff. It is worth remembering that unlike many aspects of applications people go through concerted effort to make one’s encryption less than effective.
The hacking of DVDs via software or magic marker is a classic example.
Ken
|
|
|
|
|
Each developer is in charge of his own encryption algorithm.
As for decryption? That falls to the director of IT. He's got plenty of time on his hands.
/xml> "The difference between genius and stupidity is that genius has its limits." - Albert Einstein
| "As far as we know, our computer has never had an undetected error." - Weisert
| "If you are searching for perfection in others, then you seek dissappointment. If you are searching for perfection in yourself, then you seek failure." - Balboos HaGadol Mar 2010
|
|
|
|
|